Metasploit mailing list archives
How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]
From: pusscat at metasploit.com (Pusscat)
Date: Thu, 25 Oct 2007 10:56:21 -0400
I'd say a good deal of security is added by each OS level security feature. Not because any of them completely prevent exploitation in all scenarios, but because they all add further requirements to the exploitation of a vulnerability which may in some cases make certain vulns impossible to exploit. When combined with other protection mechanisms with their own restraints, the probability of feasible exploitation of a given vuln can drop dramatically. Sure, you can bypass them all in isolation, the difficulty is bypassing three protections in a vuln where the environment is highly variable, there's no info disclosure, and you have a very small payload to work with. ~ Puss -----Original Message----- From: Thomas Werth [mailto:security at vahle.de] Sent: Thursday, October 25, 2007 9:13 AM To: framework at metasploit.com Subject: [framework] How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] So Windows Hardware-enforced Data Execution Prevention stopped the exploit attemp. On http://www.uninformed.org/?v=2&a=4&t=txt skape wrote how to bypass this. Now i'd like to weight how much securtiy is added using this feature. Well it stopped the exploit very fine, but would it be possible to rewrite msf exploits/payloads so they would automaticly bypass windows protection ? I'd like to hear lists opinion to this protection. To me on one hand it stopped the exploit, but on other hand skape describes how to bypass and i won't doubt his findings. regards Thomas Thomas Werth schrieb:
Ohh, what an "easy" reason :) On Windows code execution protection is activated for all programs. IDA doesn't show X Flag for stack segment, so exceution isn't allowed. So it seems msf payload does nothing magic to circumvate code exectution protection and ida properly prompts wrong message ... H D Moore schrieb:Could it be that the stack is non-executable on your platform and IDA is misinterpreting the exception code? -HD On Wednesday 24 October 2007, Thomas Werth wrote:Now the jmp esp is donw and lands in stack. But then the same exception is thrown. "Memory could not be written The instruction at 0x12decc referenced memory at 0x12decc. The memory could not be written (0x12decc -> 12decc)" Strange is that Segment is marked as W & D public Stack. So write access should be granted... Altouhg why in generell is there a write access violation when performing a nop or former a jmp esp ? Any help and clarification is welcome.
Current thread:
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- ani_loadimage_chunksize problem H D Moore (Oct 24)
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Rhys Kidd (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 29)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Rhys Kidd (Oct 29)
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Pusscat (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 25)
- ani_loadimage_chunksize problem H D Moore (Oct 24)